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Description 

The present invention relates generally to maintain- 
ing security within a distributed computer system or net- 
work, and particularly to methods and systems for main- s 
taining security where the physical media interconnect- 
ing the computers in a distributed system are not secure. 

BACKGROUND OF THE INVENTION 

10 

Maintaining security within a distributed computer 
system or network has historically been a problem. Se- 
curity in such systems has several aspects, including: 
(1) authentication of the identities of users and systems 
involved in a communication, (2) secure transmission of 15 
information, and (3) requiring the system and user which 
receive secure communications to following predefined 
protocols so as to preserve the confidentiality of the 
transmitted information. 

In many military computer systems, security is en- 20 
sured by verifying that all the computer hardware, in- 
cluding communications lines used to interconnect com- 
puters, is physically secure. In most commercial situa- 
tions, however, physically secure computer hardware 
and communications lines are not practical. Therefore 2s 
security for these commercial applications must be pro- 
vided using mechanisms other than physical security. 

There are a number of publicly available techniques 
for providing reliable authentication of users (actually, 
named members) in a distributed network, including 30 
RSA Public Key authentication, and Needham & 
Schroeder's trusted third-party authentication technique 
(used in Kerberos, which is a trademark of MIT, from 
MIT's Project Athena). 

However, in many computing environments, knowl- 35 
edge of only the user's identity is not sufficient informa- 
tion in order to determine whether access to specific da- 
ta should be allowed. In many cases, additional infor- 
mation is needed to make that decision. This additional 
information may take many forms, such as where the 40 
user's workstation is located (e.g., whether it is in a se- 
cure area), or what secrecy level the user is operating 
under at the current time. This additional information is 
referred to as the •environment" in which the user is run- 
ning. For example, both military and commercial com- 45 
puter systems use the concept of •levels' of security. 
Basically, a number of distinct security levels are need- 
ed in many systems because some information is more 
confidential than other information, and each set of con- 
fidential information has an associated set of authorized so 
recipients. 

The users participating in a communication cannot 
be trusted to always correctly represent the environment 
in which they are running. Instead, secure communica- 
tions require that the computer operating system sup- ss 
porting a user's process must be responsible for com- 
municating information about the user's environment to 
other systems in the network. 



The present invention helps to provide secure com- 
munications between systems by providing a mecha- 
nism for ensuring that communications occur within 
"trust realms" of systems, and also by authenticating 
both the systems and users which are participating in a 
communication. Furthermore, multiple levels of security 
are supported by transmitting validated security level la- 
bels along with data that is being transmitted, with the 
labels being encoded so that the recipient can verify that 
the specified security level label is authentic. 

IEEE Symposium on Security and Privacy, April 
1987 pp 167-172; D.P. Anderson et al: "A Basis For Se- 
cure Communication in Large Distributed Systems" de- 
scribes a distributed multilevel computer security sys- 
tem and method according to the preamble of the ap- 
pended claims 1 and 7. 

SUMMARY OF THE INVENTION 

In summary, the present invention as defined in the 
appended claims is a computer security system which 
strengthens the basis for trust between computers 
which are exchanging messages using a network not 
physically secure against interlopers. To do this, the 
present invention provides a trust realm table that de- 
fines which computers are members of predefined trust 
realms. All the members of each predefined trust realm 
enforce a common set of security protocols for protect- 
ing the confidentiality of data. 

Each computer that is a member of a trust realm 
enforces a predefined security policy, and also defines 
a security level for each set of data stored in the com- 
puter. Thus, each message has an associated label de- 
noting how to enforce the computer's security policy with 
respect to the message. 

A trust realm service program in each computer is 
charged with the task of labelling and formatting users' 
messages for transmission to specified other computer 
systems. The trust realm service program is part of the 
computer's kernel or operating system and is normally 
invisible to the users of the system - unless they try to 
breach the computer system's security policies by trying 
to transmit data to another computer that is not a mem- 
ber of a trust realm shared by the user's computer. 

Before transmitting a specified message, the trust 
realm service program uses the trust realm table to ver- 
ify that both the local computer system and the specified 
target computer system are members of at least one 
common trust realm, and then selects one of those com- 
mon trust realms. If the computer system and the spec- 
ified computer system are not both members of at least 
one common trust realm, the message is not transmitted 
because transmission of the message is not authorized 
- because the specified target computer cannot be trust- 
ed to enforce the sending computer's security policies. 

If the two computers are members of a common 
trust realm, the message is transmitted as a protocol da- 
ta unit, which includes a sealed version of the message, 
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authenticated identifiers for the sending system and us- 
er, the message's security level label, and an identifier 
for the selected trust realm. 

Received protocol data units are processed by val- 
idating each of the components of the received protocol 
data unit before accepting the sealed message in the 
protocol data unit as authentic. Further, the security lev- 
el label in the received protocol data unit is used by the 
receiving computer to determine what predefined secu- 
rity policy is to be enforced with respect to the message. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Additional objects and features of the invention will 
be more readily apparent from the following detailed de- 
scription and appended claims when taken in conjunc- 
tion with the drawings, in which: 

Figure 1 is a block diagram of a computer network 
coupled to a number of separate computer systems. 

Figure 2 depicts one embodiment of a trust realm 
table. 

Figure 3 is a block diagram of two computers, inter- 
connected by a network, one of which is transmitting da- 
ta to the other. 

Figures 4A and 4B are flow charts of the secure data 
transmission method of the present invention. 

Figure 5 is a block diagram of the data structure for 
messages transmitted from one computer to another. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Figure t , the present invention is a se- 
curity protocol system, or security protocol technique 
which typically operates in the context of a collection 1 00 
of computers 102-108 interconnected by a local or wide 
area network 110 or some other communications medi- 
um. Each of these computers 102-108 is said to be lo- 
cated at a distinct node of the networked computer sys- 
tem 100. 

Each computer 102-108 contains the standard 
computer system components, including a data 
processing unit, system bus, random access memory 
RAM, read only memory (ROM), mass storage (e.g., 
magnetic or optical disks), a user interface (e.g., key- 
board, monitor and printer) and communications ports. 
These physical computer components (not shown) are 
not modified by the present invention and are therefore 
not described in detail herein. 

One item that is used in one preferred embodiment 
of the present invention is a secure 'naming service" 1 1 2 
that is accessible to all the computers 102-108 via the 
network. The naming service 1 1 2 is essentially a simple 
database management system which maintains a set of 
data that can be relied upon as being accurate by all the 
users of the network 112. In the context of the present 
invention, the naming service 112 contains listings of 
trust realms"; the meaning of which will be explained in 
more detail below. The naming service 1 1 2 is said to be 



secure because its contents (and delivery thereof) are 
protected from modification by unauthorized sources, 
which allows recipients of data from the naming service 
112 to know that they can rely on the information ob- 
5 tained therefrom. There are a number of practical prob- 
lems involved in the construction of secure naming serv- 
ices, and therefore other embodiments of the present 
invention use an alternate scheme for denoting trust 
realms. 

70 

TRUST REALMS. 

A central concept used by the present invention is 
that of trust realms." A trust realm is a collection of corn- 
's puter systems which share a common security policy, 
and trust one another to maintain that policy Further- 
more, the computer systems that are members of a trust 
realm have an agreed upon method of communicating 
an 'environmental label" or 'security level label" asso- 
20 ciated with each message transmitted between sys- 
tems. 

Basically, a trust realm is a known set of computers 
that can be trusted to properly handle confidential infor- 
mation, and to folbw a predefined set of rules (called a 

2$ security policy) Jor handling such data. 

A single computer can be a member of a plurality 
of distinct trust realms. The reason for having more than 
one trust realm is so that a computer system can utilize 
different security policies when transmitting data to var- 

30 bus different computers. More simply, different organi- 
zations tend to use different security policies for han- 
dling confidential information, and there is one trust 
realm for each such security policy. For instance, a mil- 
itary organization may organize data into different levels 

35 of secrecy, including "sensitive", "secret", "top secret" 
and so on. On the other hand, a commercial organiza- 
tion might organize data into security levels such as: "of- 
ficers only", "board of directors only", "managerial info", 
"all employe© info", "special project A", and so on. Each 

40 security policy defines how data that is labelled with a 
particular security level label is to be handled, and thus 
for each security policy there is a predefined set of se- 
curity level labels. 

Referring to Figure 2, the naming service 112 main- 

45 tains a defined list of trust realms. This list is organized 
as a flat file or database table 1 30, with one row 1 32 for 
each computer system that is a member of at least one 
trust realm. The row or record for a particular specified 
computer system lists all the trust realms which that sys- 

so tern belongs to. There are two preferred embodiments 
of this table 130. 

In the embodiment shown in Figure 1 , there is a se- 
cure naming service 112 which contains the trust realm 
table 1 30. The advantage of this embodiment is that the 

55 security manager in charge of maintaining the trust 
realm table needs to store only one copy of the trust 
realm table 1 30, which is then available for every one to 
use. The disadvantage is that it is difficult to design a 
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secure naming service. A second embodiment of the 
trust realm table 130 is simply to include a copy of the 
table in every computer system which is a member of at 
least one trust realm. This has the obvious disadvantage 
of requiring that updates to the table be copied into all 
these computer systems in a way that is safe and se- 
cure. However, this second embodiment has the advan- 
tage of being relatively easy to implement. 

GLOSSARY 

The following are definitions of terms used herein. 

ASSOCIATION. An association is formed between 
two computers when the present invention has success- 
fully exchanged authentication, trust realm, and envi- 
ronmental information describing the calling and target 
users. This exchange allows the two systems to form a 
common security context describing the environment 
shared between two users. The association allows a 
sending system to refer to this previously established 
security context when sending any additional messages 
between the users, rather than ^authenticating the 
sending user and his environment all over again. 

AUTHENTICATED MESSAGE. Authenticated data 
is data which has been either encrypted or signed using 
authentication techniques which allow the origin (i.e., 
the sender) of the data to be validated. "Signing" a mes- 
sage (i.e., a set of data) is similar to physically signing 
a letter or a check, in that the signature validates the 
authenticity of the signed document (or set of data). The 
signing of digital messages in computer systems is per- 
formed using authentication techniques, a number of 
which are used in prior art computer systems for vali- 
dating various types of data transmissions. In the con- 
text of the present invention, messages and the associ- 
ated information sent along with messages (including 
sending system and user identifiers, trust realm identi- 
fier, and label) are ail authenticated so as to allow the 
receiving system to verify that the received data was in 
fact sent by the alleged sending system. The source of 
a message or other set of data can be authenticated by 
either signing with a digital signature, or by encrypting 
the message using a key shared only with a previously 
established source. Details of data authentication, sign- 
ing, encryption and decoding are not discussed herein 
because these topics are well known to those skilled in 
the art. These prior art techniques are used as tools by 
the present invention to implement portions of the 
present invention's trust realm security methodology. 

ENVIRONMENT and LABEL. In most commercially 
available computer systems that have internal security 
protection, ail data stored in the computer is tagged or 
labeled with so-called "environment" information, which 
is indicative of the security characteristics of the process 
in the computer that created that data. In this document, 
the terms "security level" and "environment" are used 
interchangeably to refer to those characteristics of a us- 
er which are pertinent to the security policy or policies 



used by the computer. 

TARGET. A target system or a target application is 
the system or application to which communication is di- 
rected by a calling system or user. 

s SECURITY POLICY A security policy is a set of 
rules which determine the availability of data to individ- 
ual computers and/or users, along with accompanying 
rules specifying actions that must be taken upon provid- 
ing or denying access data by a specified computer or 

io user. In many cases, these rules are dependent on fac- 
tors other than the identities of the computers and users 
to whom the data is being sent. In particular, the envi- 
ronment or security level labels associated with trans- 
mitted data often determine how the transmitted data is 

15 to be handled. 

MESSAGE HANDLING. 

Referring to Figure 3, the basic situation in which 
the invention operates is as follows. A user running on 
a first computer 150, herein called the calling system, 
wants to send a message to a specified user running on 
a specified second computer 170, herein called the tar- 
get or receiving system. Figure 3 shows the various soft- 
ware modules that are involved in the transmission of 
this message. These software modules include security 
mechanisms which determine whether transmission of 
the message is allowed, how the message is to be en- 
coded, and what security protocols are to be used during 
transmission of the message as well as after receipt of 
the message. 

Referring to the block diagram in Figure 3 and the 
flowchart in Figure 4A, the transmission process begins 
when an initiating application 152 in the calling system 
150 generates a message 1 53 and sends it to the calling 
system's network interface 1 54 with instructions that the 
message is to be sent to a specified user (or application 
program) running on a specified computer (step 200 in 
Figure 4A). The network interface 154 is the boundary 
between the potentially untrusted user program and the 
trusted networking programs with the computer system. 

If the calling computer system 150 had no security 
mechanisms for controlling the flow of messages into 
and out of the computer 150, the network interface 154 
would directly send the message 153 to the computer's 
transport service routine 155, which handles the actual 
transmission of data over a network. The transport serv- 
ice routine 155 handles the protocols associated with 
data transmission over a particular type of network, such 
as Internet's TCP or UDP, ISO's Connection Oriented or 
Connectionless Transport Services, or whatever under- 
lying networking protocol stack is being used. Each such 
network has a predefined sequence of actions which 
must be performed in order to successfully transmit a 
message to a specified destination, and the details of 
that protocol are handled by the transport service rou- 
tine 155. 

In some embodiments of the present invention, 
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there is a special provision for 'unclassified data', which 
is data that the computer's internal security system de- 
notes as being unrestricted by security protocols. If the 
calling computer system 150 has such a provision, and 
the message being sent is unclassified (step 202), then 
the message is transmitted without further processing 
(step 204). In other embodiments of the invention, no 
provision is made for special handling of 'unclassified 
data' because all the computer systems on the relevant 
computer network require that all transmitted data be 
treated as being confidential, or at least as having an 
associated data security level. 

Assuming that the message is either classified for 
security purposes or that the calling system does not 
have unclassified data, the message 153, now in the 
trusted, or protected, part of the computer system is next 
processed by a trust realm service program (TRSP) 
156. The TRSP's first job is to determine whether the 
calling system and the target system are both members 
of a shared trust realm (steps 206 and 208). This is done 
by retrieving from the trust realm table 1 30 (1 ) the set of 
trust realms associated with the target system and (2) 
the set of trust realms associated with the calling sys- 
tem Note that if the target system is not listed in the 
trust realm table 1 30, this means that it is not a member 
of any trust realms. If the two systems are not both mem- 
bers of a common trust realm (or, alternately stated, if 
the target system is not a member of any of trust realms 
of which the calling system is a member) then the mes- 
sage transmission sequence is aborted and the mes- 
sage is not sent (step 21 0). Basically, if there isnl a com- 
mon trust realm for the two systems, transmission of the 
message is unauthorized and therefore the message is 
not sent. 

Next, the TRSP 1 56 must select a trust realm from 
among the set of trust realms of which both the calling 
and target systems are members (step 212). If there is 
only one common trust realm, then that is selected; oth- 
erwise one of the trust realms must be selected. The 
method of making this selection will depend on security 
considerations that are not relevant to the present in- 
vention, but generally the trust realms will either be pri- 
oritized in terms of which should be selected when more 
than one common trust realm exists, or the selection of 
a trust realm will depend on the characteristics of the 
message which is being sent. Once a trust realm is se- 
lected, the TRSP 1 56 calls the selected trust realm's se- 
curity management program 158. 

A trust realm security management program 158 is 
the program responsible for enforcing the security poli- 
cies of a particular trust realm. It handles data security 
level labels in accordance with a predefined set of rules 
for the trust realm and interacts with the trusted comput- 
ing base 1 60 to obtain the local data security level labels 
associated with messages that are being sent. It also 
interacts with the trusted computing base 160 so that 
the data security level labels on received messages can 
be converted back into the format associated with the 



computer's local data security level labels. 

A trusted computing base 160 is that part of a com- 
puter system which is responsible for maintaining the 
computer's local security policy. This means that it main- 

s tains the confidentiality of data stored in the system and 
prevents unauthorized data sharing between users and 
processes running on the computer. The trusted com- 
puting base 160 is therefore responsible for assigning 
security level labels or environmental information to 

10 processes running on the computer and to the data that 
is created or stored by those processes. 

Next, the trust realm security management program 
158 calls upon the trusted computing base (TC8) 160 
to determine the environment or data security level label 

is associated with the initiating application 1 52 (i.e. , asso- 
ciated with the message that is being transmitted). Note 
that since a number of different types of computers may 
share a trust realm, the internal formats used to denote 
local data security level labels may vary from computer 

20 to ^computer within a trust realm. Therefore, if neces- 
sary, the trust realm security management program 1 58 
converts the local data security level label used by the 
calling computer 1 50 into another format that is used by 
the trust realm for transmitting data security level labels 

25 (step 2 1 4). If the TCB 1 60 approves of sending message 
153 (step 216), then the permission and new format la- 
bel are returned to the TRSP 156. Otherwise, permis- 
sion is denied, the message transmission sequence is 
aborted and the message is not sent (step 210). The 

30 trust realm security management program 1 58 may also 
perform any checks required by the trust realm which 
are not normally done by the local TCB 160. 

Assuming permission to send the message was ob- 
tained from the TCB 1 60, the message to be sent is now 

35 converted into a new format so as to include authenti- 
cated identifiers for the calling system and user, the trust 
realm, and also to include a security level label (step 
21 8). The next step after that is to authenticate the mes- 
sage so that the receiving system 170 can validate the 

40 received message (step 220). More specifically, the call- 
ing system and user are authenticated, the trust realm 
identifier and security level label are signed under the 
system authentication, and the user message is signed 
under the user authentication. Authentication and sign- 

*5 ing are performed by having the trust realm service pro- 
gram 156 call an authentication service program 162 
which signs specified sets of data so as to validate the 
source of the signed data. In some embodiments the 
signed data will be encrypted so that interlopers moni- 

50 toring network traffic will not be able to determine the 
content of the messages being transmitted. 

The resulting data structure for the transmitted mes- 
sage 1 53B, shown in Figure 5, is then sent to the calling 
computer's transport service module 155 for transmis- 

55 sion over a communications network 110 to the target 
computer system 170 (step 222). The data structure 
shown in Figure 5, generally known as a protocol data 
unit 250, contains protocol control information 251, 
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which includes the trust realm being used 252, the data 
security level label denoted in the format associated with 
the trust realm 254, and any other information 256 need- 
ed to specify the protocols to be used when handling the 
data at the received computer system (all of which are 
signed values). This information is "sealed", which 
means that it is either encrypted or signed using the au- 
thentication service program 162. Authentication infor- 
mation for the calling system 262 and user 266 may also 
be present. Once an association has been established 
between two computer systems, this information can be 
abbreviated by sending a reference to the existing as- 
sociation 257, if necessary, and those aspects of the se- 
curity level label which have changed 258 since the as- 
sociation was established. The message data structure 
also includes a service data unit 260 which contains the 
user's "sealed message" (i.e., a message which has ei- 
ther been encrypted or signed) 268. 

Referring to Figure 4B, when the transmitted mes- 
sage is received (step 230) at the receiving system 1 70, 
the received message 153B is processed as follows. 
Unclassified messages that are transmitted outside the 
trust realm security protocols are recognized as such 
(step 232), and are routed by the trust realm service pro- 
gram 174 directly to the receiving application 186 via 
network interlace 1 84 (step 234), without performing the 
validation steps described below. 

Assuming that the received message 153B is not 
unclassified, the received message is first sent by the 
receiving computer's transport service routine 172 to 
that computer's trust realm service program 1 74 for val- 
idation. The trust realm service program 174 validates 
the received message by calling the receiving system's 
authentication service program 178 (step 236). 

If any part of the message (i.e., the transmitted pro- 
tocol data unit) is not validated by the authentication 
service 178 (step 238), the message delivery process 
is aborted and the received message is discarded (step 
240). Failure to validate the message means that either 
the alleged sender did not send this message (i.e., it is 
a message from an interloper posing as the sending sys- 
tem), or that some portion of the message was changed 
by an interloper during the transmission process. 

If the sending and receiving system identifiers are 
successfully validated, this means that the alleged 
sending system did in fact send the message, and that 
the sending system intended the receiving system to be 
the target system. Furthermore, the security level label 
for the message is validated and therefore known to be 
valid. 

The receiving system's TRSP 174 then checks the 
trust realm table 1 82 to determine whether the identified 
sending system is a member of the trust realm specified 
by the received message 1 53B and whether the receiv- 
ing system is also in that trust realm (steps 242 and 244). 
If not, then the message was improperly transmitted, 
and the message is discarded as being unauthorized for 
receipt by this system 170 (step 240). 



Assuming that the trust realm check is successful 
(step 244), the received security level label is then 
passed to the appropriate trust realm security manager 
176 to be converted, if necessary, into the format used 
5 by the receiving computer's trusted computing base 1 80 
(step 245). 

The trust realm security manager 176 then checks 
with the TCB 180 to get permission to deliver the la- 
belled message to the target application (step 246). If 

10 permission is not granted (step 247), then the message 
is not delivered (step 240). Otherwise control of the val- 
idated message, including its security level label, is 
transferred back to the trust realm service program 1 74. 
Finally, if the message has passed all these tests, 

'5 the message portion of the converted message 153C 
(which is identical to the originally sent message 1 53) is 
transmitted via the network interface 184 to the receiv- 
ing application 186 (step 248). 

20 ESTABLISHING AN ASSOCIATION. 

When all the trust realm and security level label in- 
formation has been validated (steps 236, 238, 242 and 
244), this information is stored in the receiving system, 

25 thereby establishing an association with the sending 
system. The establishment of an association enables 
more efficient data transmission by allowing the sending 
system to eliminate those portions of the protocol control 
information 251 (see Figure 5) which have not changed 

30 since the last message sent between the two systems. 
Furthermore, failure to establish an association auto- 
matically results in rejection of the received message 
because the received message has not been proven to 
be authentic. In the preferred embodiment, associations 

35 are automatically terminated after a predefined period 
of time if not renewed by the continued transmission of 
data between the two systems. 



40 Claims 

1. A message transmission apparatus in a computer 
network comprising: 

45 a multiplicity of computers (102-108, 150, 170) 

interconnected by a network, each computer 
(1 50) including data transmission and receiving 
apparatus (155,172), and a security apparatus 
(156-162) that generates protocol data units 

so (250) to be transmitted to other ones of said 

computers (1 70) via said data transmission and 
receiving apparatus and that validates and 
processes protocol data units received from 
other ones of said computers via said data 

55 transmission and receiving apparatus; 

the security apparatus (156-162) in each of a 
plurality of said computers (150), comprising: 
a trusted computing base (1 60) which enforces 
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a predefined security policy in said computer 
and which defines a security level for each set 
of data stored therein; 

authentication means (162, 178) for authenti- 
cating and validating messages sent to another s 
computer via said network; and 
trust realm defining means (1 30) for storing in- 
formation denoting which ones of said comput- 
ers are members of predefined trust realms; 
wherein for each predefined trust realm there io 
is a corresponding predefined security proto- 
col, enforced by ail of said each predefined trust 
realm's members, for protecting confidentiality 
of data transmitted between said members of 
said each predefined trust realm; is 

characterized by: 



ance with the predefined security protocol cor- 
responding to the selected trust realm identified 
by said identifier in said received protocol data 

unit; 

said trusted computing base (160) in at least a 
plurality of said computers including means for 
enforcing a plurality of predefined security pro- 
tocols with respect to received protocol data 
units (250), each predefined security protocol 
corresponding to one of said predefined trust 
realms; wherein one of said plurality of prede- 
fined security protocols is applied by said trust- 
ed computing base (160) to each received pro- 
tocol data unit (250) in accordance with the se- 
lected trust realm identified by said identifier 
(252) in said each received protocol data unit 
(250). 



each said message (153B) comprising data 2. 
having an associated label (251 ) denoting how 20 
said trusted computing base is to enforce se- 
curity policy with respect to said message; 
said security apparatus (156-162) in each of 
said plurality of said computers, further includ- 
ing: 25 
trust realm service means (156), coupled to 
said trusted computing base (1 60), authentica- 3. 
tion means (162) and trust realm defining 
means (130), for preparing a specified mes- 
sage (1 53B) for transmission to a specified oth- 30 
er computer (170), said trust service means 
adapted for: 

obtaining (206) trust realm information stored 
by said trust realm defining means, verifying 
(208) that both said computer (150) and said 35 
specified computer (170) are members of at 4. 
least one common trust realm, and selecting 
(21 2) a trust realm from among said at least one 
common trust realm, 

authenticating (218) said message (268) and to 
said label (251) associated with said message, 
and 

generating (21 8-220) a protocol data unit (250), 
to be transmitted to said specified other com- 
puter via said computer's message transmis- 45 
sion apparatus (1 55), said protocol data unit in- 
cluding said authenticated message and label, 
and an identifier (252) that identifies said se- 
lected trust realm; 

said trust realm service means (156) further so 
adapted for: 

validating (236) the message (268) and label 
(251 ) in each protocol data unit (250) received 
by said computer, via said message transmit- 
ting and receiving apparatus, from other ones 55 
of said computers, and 5. 
processing (245) said label and said message 
in said received protocol data unit in accord- 



The message transmission apparatus set forth in 
claim 1 wherein said trust realm service means 
(1 56) is adapted to abort (208, 210) transmission of 
a message when, according to said information 
stored in said trust realm defining means (1 30), said 
computer and said specified other computer are not 
members of a common trust realm. 

The message transmission apparatus set forth in 
claim 1 or claim 2, said trust realm service means 
(1 74) adapted to convey said label in said received 
protocol data unit (250) to said trusted computing 
base (180); said trusted computing base (180) 
adapted to enforce a predefined security policy with 
respect to said message in said received protocol 
data unit (250) in accordance with said label. 

The message transmission apparatus set forth in 
Claim 1, said trust realm service means (156) in- 
cluding means for including with each transmitted 
protocol data unit (250) a source identifier (262) that 
identifies the computer sending said transmitted 
protocol data unit (250); 

said trust realm service including means for au- 
thenticating said source identifier (262) and 
said selected trust realm identifier (252); 
said protocol data unit (250) including said au- 
thenticated source identifier and authenticated 
selected trust realm identifier (252); and 
said means (156, 174) for validating messages 
received by said computer including means for 
validating each of said components of a re- 
ceived protocol data unit (250) before accept- 
ing said message in said protocol data unit 
(250) as authentic. 

The message transmission apparatus set forth in 
Claim 1, said trust realm service means (156) 
adapted to: 
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include with each transmitted protocol data unit 
(250) a source identifier (262) that identifies the 
computer sending said transmitted protocol da- 
ta unit (250), 

to authenticate said source identifier and said 5 
selected trust realm identifier, and 
to seal said message (268) and its label (251); 
said protocol data unit (250) including said au- 
thenticated source identifier, said authenticat- 
ed selected trust realm identifier (252), and said 10 
sealed message (268) and label (251); and 
said trust realm service means (174) further 
adapted to validate each of said components of 
a received protocol data unit (250) before ac- 
cepting said sealed message in said protocol >5 
data unit (250) as authentic. 

6. A method of enforcing security protocols when 
transmitting messages between computers via a 
computer network having a multiplicity of comput- 20 
ers coupled thereto, the steps of the method com- 
prising: 

storing information (130) denoting computers 
which are members of predefined trust realms; 2s 
wherein all the members of each predefined 
trust realm enforce a common set of security 
protocols for protecting confidentiality of data; 
authenticating (218) and validating (236) a 
specified message that an application running 30 
in a computer (150) is attempting to send to a 
specified other computer (170) via said net- 
work, each said message comprising data hav- 
ing an associated label denoting how a prede- 
fined security policy is to be enforced with re- 35 
spect to said message; 

characterized by said authenticating and val- 
idating steps including the steps of: 

40 

accessing (206) said stored trust realm infor- 
mation, verifying that both said computer sys- 
tem and said specified computer system are 
members of at least one common trust realm, 
and selecting a trust realm from among said at 
least one common trust realm; 
authenticating (218) said message and its as- 
sociated label; 

transmitting (222) to said specified other com- 
puter a protocol data unit (250) including said so 
authenticated message (268) and label (251), 
and an identifier (252) that identifies said se- 
lected trust realm; 

receiving (230) said protocol data unit (250) at 
said specified other computer; 55 
validating (236) the message and label (251 ) in 
said received protocol data unit (250) before 
accepting said message and label (251 ) in said 



protocol data unit (250) as authentic; 
processing said label (251) and said message 
in said received protocol data unit (250) in ac- 
cordance with the predefined security protocol 
corresponding to the selected trust realm iden- 
tified by said identifier in said received protocol 
data unit (250); and 

in at least a plurality of said computers, enforc- 
ing a plurality of predefined security protocols 
with respect to received protocol data units 
(250), each predefined security policy corre- 
sponding to one of said predefined trust realms; 
wherein the predefined security policy enforced 
with respect to each received protocol data unit 
(250) corresponds to the selected trust realm 
identified by said identifier in said each re- 
ceived protocol data unit (250). 

7. The method of enforcing security protocols when 
transmitting messages between computers as set 
forth in claim 6, including the step of aborting (208, 
210) transmission of a message when, according 
to said stored trust realm information, said compu- 
ter and said specified other computer are not mem- 
bers of a common trust realm. 

8. The method of enforcing security protocols when 
transmitting messages between computers set 
forth in claim 6 or claim 7, including the step of en- 
forcing a predefined security policy with respect to 
said message in said received protocol data unit 
(250) in accordance with said label (251 ) in said re- 
ceived protocol data unit (250). 

9. The method of enforcing security protocols when 
transmitting messages between computers set 
forth in claim 6, 7, or 8, 

said authenticating step (218) including au- 
thenticating a source identifier (262) that iden- 
tifies the computer sending said transmitted 
protocol data unit (250), and authenticating 
said selected trust realm identifier (252) for said 
protocol data unit (250); 
said transmitting step (222) including transmit- 
ting as part of each transmitted protocol data 
unit (250) said authenticated source identifier 
and said authenticated selected trust realm 
identifier; and 
. said validating step (236) including validating 
all authenticated components of a received pro- 
tocol data unit (250) before accepting said mes- 
sage in said protocol data unit (250) as authen- 
tic. 

10. The method of enforcing security protocols when 
transmitting messages between computers set 
forth in any one of claims 6, 7, 8 or 9, 



8 



15 



EP0 465 016 B1 



16 



said authenticating step (218) including au- 
thenticating a source identifier that identifies 
the computer sending said transmitted protocol 
data unit (250), and authenticating said select- 
ed trust realm identifier (252) for said protocol s 
data unit (250); 

said method further including the step of seal- 
ing (220) said message and its label (251 ); 
said transmitting step (222) including transmit- 
ting as part of each transmitted protocol data io 
unit (250) said sealed message and label (251 ), 
said authenticated source identifier and said 
authenticated selected trust realm identifier; 
and 

said validating step (236) including validating 15 
all authenticated components of a received pro- 
tocol data unit (250) before accepting said mes- 
sage in said protocol data unit (250) as authen- 
tic. 



PatentansprOche 

1. Nachrichtensendevorrichtung in einem Computer- 
netz, mit 25 

mehreren Computern (102-108, 150, 170), die 
durch ein Netz miteinander verbunden sind, 
wobei jeder Computer (150) eine Datensende- 
und eine Datenempfangsvorrichtung (155, 30 
172) sowie eine Sicherheitsvorrichtung 
(156-162) enthalt, die Protokolldateneinheiten 
(250) erzeugt, die an die anderen Computer 
(170) uber die Datensende- und Datenemp- 
fangsvorrichtung gesendet werden sollen, und 35 
die Protokolldateneinheiten, die von den ande- 
ren Computern uber die Datensende- und Da- 
tenempfangsvorrichtung empfangen werden, 
validiert und veraroeitet; 

wobei die Sicherheitsvorrichtung (156-162) in 40 
jedem der mehreren Computer (150) enthalt: 
eine vertrauensschaffende Berechnungsbasis 
(160), die eine im voraus definierte Sicherheits- 
politik in dem Computer erzwingt und die fur je- 
de darin gespeicherte Datenmenge ein Sicher- 45 
heitsniveau definiert; 

eine Authentifizierungseinrichtung (162, 178) 
zum Authentifizieren und Validieren von Nach- 
richten, die uber das Netz an einen weiteren 
Computer geschickt werden; und so 
eine Vertrauensgebiet-Definitionseinrichtung 
(130) zum Speichem von Informationen, die 
angeben, welche der Computer Elemente von 
im voraus definierten Vertrauensgebieten sind; 
wobei fur jedes im voraus definierte Vertrau- 55 
ensgebiet ein entsprechendes im voraus defi- 
niertes Sicherheitsprotokoll vorhanden ist, das 
durch samtliche Elemente jedes im voraus de- 



finierten Vertrauensgebiets erzwungen wird, 
urn die Vertraulichkeit der Daten, die zwischen 
den Elementen jedes der im voraus definierten 
Vertrauensgebiete gesendet werden, zu schut- 
zen; 

dadurch gekennzeichnet, daB: 

jede der Nachrichten (153B) Daten enthalt, die 
ein zugeordnetes Etikett (251) besitzen, das 
angibt, wis die vertrauensschaffende Berech- 
nungsbasis die Sicherheitspolitik in bezug aut 
die Nachricht erzwingen soil; 
die Sicherheitsvorrichtung (156-162) in jedem 
der mehreren Computer femer enthalt: 
eine Vertrauensbereich-Diensteinrichtung 
(156), die mit der vertrauensschaffenden Be- 
rechnungsbasis (160), der Authentifizierungs- 
einrichtung (162) und der Vertrauensgebiet- 
Definitionseinrichtung (130) verbunden ist, urn 
eine spezifische Nachricht (153B) fur die Sen- 
dung an einen spezifischen anderen Computer 
(170) vorzubereiten, wobei die Vertrauens- 
diensreinrichtung so beschaffen ist, daB sie: 
Vertrauensgebiet-lnformationen erhalt (206), 
die von der Vertrauensgebiet-Definitionsein- 
richtung gespeichert werden, verifiziert (208), 
daB sowohl der Computer (150) als auch der 
spezifizierte Computer (170) Elemente wenig- 
stens eines gemeinsamen Vertrauensgebiets 
sind, und ein Vertrauensgebiet aus dem wenig- 
stens einen gemeinsamen Vertrauensgebiet 
wahft(212), 

die Nachricht (268) und das Etikett (251), das 
der Nachricht zugeordnet ist, authentifiziert 
(218) und 

eine Protokolfdateneinheit (250) erzeugt 
(218-220), die an den spezifizierten anderen 
Computer uber die Computemachricht-Sende- 
vorrichtung (155) gesendet werden soli, wobei 
die Protokolldateneinheit die authentifizierte 
Nachricht und das authentifizierte Etikett sowie 
einen Identifizierer (252), der das gewahlte 
Vertrauensgebiet identifiziert, enthalt; 
wobei die vertrauensgebiet-Diensteinrichtung 
(1 56) femer so beschaffen ist, daB sie: 
die Nachricht (268) und das Etikett (251) in je- 
der von dem Computer uber die Nachrichtens- 
ende- und Nachrichtenmpfangsvorrichtung 
von anderen Computern empfangenen Proto- 
kolldateneinheit (250) validiert und 
das Etikett und die Nachricht in der empfange- 
nen Protokolldateneinheit in Ubereinstimmung 
mit dem im voraus definierten Sicherheitspro- 
tokoll, das dem gewahlten Vertrauensgebiet 
entspricht, das von dem Identifizierer in der 
empfangenen Protokolldateneinheit identifi- 
ziert wird, verarbeitet (245); 



9 



17 



EP0 465 016 B1 



18 



wobei die vertrauensschaffende Berechnungs- 
basis (160) in wenigstens einer Mehrzahl der 
Computer eine Einrichtung zum Erzwingen 
mehrerer im voraus definierter Sicherheitspro- 
tokolle in bezug auf die empfangenen Proto- s 
kolidateneinheiten (250) enthalt, wobei jedes 5. 
im voraus definierte Sicherheitsprotokoll einem 
der im voraus definierten Vertrauensgebiete 
entspricht; wobei eines der mehreren im voraus 
definierten Sicherheitsprotokolle von der ver- 10 
trauensschaffenden Berechnungsbasis (160) 
auf jede empfangene Protokolldateneinheit 
(250) in Ubereinstimmung mit dem gewahlten 
Vertrauensgebiet, das durch den Identifizierer 
(252) in der empfangenen Protokolldatenein- is 
heit (250) identifiziert wird, angewendet wird. 

2. Nachrichtensendevorrichtung nach Ansprucn 1, 
wobei die Vertrauensgebiet-Diensteinrichtung 
(156) so beschaffen ist, daB sie das Senden einer 20 
Nachrichtabbricht (208, 210), wenn in Ubereinstim- 
mung mit den in der Vertrauensgebiet-Definitions- 
einrichtung (130) gespeicherten Informationen der 
Computer und der spezifizierte andere Computer 
nicht Elemente eines gemeinsamen Vertrauensge- 2s 
biets sind. 

3. Nachrichtensendevorrichtung nach Ansprucn 1 
oder Anspruch 2, wobei die Vertrauensgebiet- 
Diensteinrichtung (174) so beschaffen ist, daft sie 30 
das Etikett in der empfangenen Protokolldatenein- 
heit (250) an die vertrauensschaffende Berech- 6. 
nungsbasis (180) transportiert; und wobei die ver- 
trauensschaffende Berechnungsbasis (180) so be- 
schaffen ist, daB sie eine im voraus definierte Si- 35 
cherheitspolitik in bezug auf die Nachricht in der 
empfangenen Protokolldateneinheit (250) in Uber- 
einstimmung mit dem Etikett erzwingt. 

4. Nachrichtensendevorrichtung nach Anspruch 1, *o 
wobei die Vertrauensgebiet-Diensteinrichtung 

(1 56) eine Einrichtung enthalt, die in jede gesende- 
te Protokolldateneinheit (250) einen Quellenidenti- 
fizierer (262) einbaut, der den Computer identifi- 
ziert, der die gesendete Protokolldateneinheit (250) 
sendet; 

der Vertrauensgebietdienst eine Einrichtung 
zum Identifizieren des Quellenidentifizierers 
(262) und des gewahlten Vertrauensgebieti- so 
dentifizierers (252) enthalt; 
die Protokolldateneinheit (250) den authentifl- 
zierten Queilenidentifizierer und den authenti- 
fizierten gewahlten Vertrauensgebietidentifi- 
zierer (252) enthalt; und S5 
die Einrichtung (156, 174) zum Validieren der 
von dem Computer empfangenen Nachrichten 
eine Einrichtung, die jede der Komponenten ei- 



ner empfangenen Protokolldateneinheit (250) 
validiert, bevor sie die Nachricht in der Proto- 
kolldateneinheit (250) als authentisch an- 
nimmt. 

Nachrichtensendevorrichtung nach Anspruch 1, 
wobei die Vertrauensgebiet-Diensreinrichtung 
(1 56) so beschaffen ist, daB sie: 

in jede gesendete Protokolldateneinheit (250) 

einen Queilenidentifizierer (262) einbaut, der 

den die gesendete Protokolldateneinheit (250) 

sendenden Computer identifiziert, 

den Queilenidentifizierer und den gewahlten 

Vertrauensgebietidentifizierer authentifiziert 

und 

die Nachricht (268) und deren Etikett (251 ) ver- 
siegeit; 

wobei die Protokolldateneinheit (250) den au- 
thentifizierten Queilenidentifizierer, den au- 
thentrfizierten gewahlten Vertrauensgebieti- 
dentifizierer (252) und die versiegelte Nach- 
richt (268) und das versiegelte Etikett (251 ) ent- 
halt; und 

die Vertrauensgebiet-Diensteinrichtung (174) 
ferner so beschaffen ist, daB sie jede der Kom- 
ponenten einer empfangenen Protokolldaten- 
einheit (250) validiert, bevor sie die versiegelte 
Nachricht in der Protokolldateneinheit (250) als 
authentisch annimmt. 

Verfahren zum Erzwingen von Sicherheitsprotokol- 
len, wenn Nachrichten zwischen Computem uber 
ein Computernetz mit mehreren damit verbunde- 
nen Computem gesendet werden, wobei das Ver- 
fahren die folgenden Schritte enthalt: 

Speichern von Informationen (1 30), die Com- 
puter bezeichnen, die Elemente von im voraus 
definierten Vertrauensgebieten sind; wobei 
samtliche Elemente jedes im voraus definierten 
Vertrauensgebiets eine gemeinsame Menge 
von Sicherheitsprotokollen zum Schutzen der 
Vertraulichkeit der Daten erzwingen; 
Authentifizieren (218) und Validieren (236) ei- 
ner spezifischen Nachricht, die eine in einem 
Computer (150) laufende Anwendung an einen 
spezifizierten anderen Computer (170) uber 
das Netz zu Schicken versucht, wobei jede 
Nachricht Daten enthalt, die ein zugeordnetes 
Etikett besitzen, das angibt, wie eine im voraus 
definierte Sicherheitspolitik in bezug auf die 
Nachricht zu erzwingen ist; 

dadurch gekennzeichnet, daB die Authentifi- 
zierungs- und validierungsschritte die folgenden 
Schritte enthalten: 
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Zugreifen (206) auf die gespeicherten Vertrau- 
ensgebietinfonmationen. Verifizieren, da3 so- 
wohl das Compute rsystem als auch das spezi- 
fizierte Computersystem Elemente wenigstens 
eines gemeinsamen Vertrauensgebiets sind, * 
und Wahlen eines Vertrauensgebiets aus dem 
wenigstens einen gemeinsamen Vertrauens- 
gebiet; 

Authentifizieren (218) der Nachricht und ihres 
zugeordneten Etiketts; 10 
Senden (222) einer Protokolldateneinheit 
(250), die die authentifizierte Nachricht (268) 
und das authentifizierte Etikett (251) sowie ei- 
nen das gewahlte Vertrauensgebiet identifizie- 
renden Identifizierer (252) enthalt, an den spe- *s 
zifizierten anderen Computer; 
Empfangen (230) der Protokolldateneinheit 

(250) in dem spezifizierten anderen Computer; 
Validieren (236) der Nachricht und des Etiketts 

(251) in der empfangenen Protokolldatenein- 20 
heit (250), bevor die Nachricht und das Etikett 
(251 ) in der Protokolldateneinheit (250) als au- 
thentisch angenommen werden; 

Verarbeiten des Etiketts (251) und der Nach- 
richt in der empfangenen Protokolldateneinheit 2s 
(250) in Ubereinstimmung mit dem im voraus 
definierten Sicherheitsprotokoll, das dem ge- 
wahlten Vertrauensgebiet entspricht, das durch 
den Identifizierer in der empfangenen Proto- 
kolldateneinheit (250) identifiziert wird; und 30 
in wenigstens einer Mehrzahl der Computer Er- 
zwingen mehrerer im voraus definierter Sicher- 
heitsprotokolle in bezug auf die empfangenen 
Protokolldateneinheiten (250), wobei jede im 
voraus definierte Sicherheitspolitik einem der 35 
im voraus definierten Vertrauensgebiete ent- 
spricht; wobei die im voraus definierte Sicher- 
heitspolitik, die in bezug auf jede empfangene 
. Protokolldateneinheit (250) erzwungen wird, 
dem gewahlten Vertrauensgebiet entspricht, *o 
das durch den identifizierer in der empfange- 
nen Protokolldateneinheit (250) identifiziert 
wird. 

7. Verfahren zum Erzwingen von Sicherheitsprotokol- 45 
len beim Senden von Nachrichten zwischen Com- 
putern nach Anspruch 6, mit dem Schritt des Ab- 
brechens (208, 210) des Sendens einer Nachricht, 
wenn in Ubereinstimmung mit den gespeicherten 
Vertrauensgebiet-lnformationen der Computer und so 
der spezifizierte andere Computer nicht Elemente 
eines gemeinsamen Vertrauensgebiets sind. 

8. Verfahren zum Erzwingen von Sicherheitsprotokol- 

len beim Senden von Nachrichten zwischen Com- 55 
putern nach Anspruch 6 Oder Anspruch 7, mit dem 
Schritt des Erzwingens einer im voraus definierten 
Sicherheitspolitik in bezug auf die Nachricht in der 



empfangenen Protokolldateneinheit (250) in Uber- 
einstimmung mit dem Etikett (251) in der empfan- 
genen Protokolldateneinheit (250). 

9. Verfahren zum Erzwingen von Sicherheitsprotokol- 
len beim Senden von Nachrichten zwischen Com- 
putem nach Anspruch 6, 7 Oder 8, 

wobei der Authentifizierungsschritt (218) die 
Authentifizierung eines Quellenidentifizierers 
(262), der den die gesendete Protokolldaten- 
einheit (250) sendenden Computer identifiziert, 
sowie die Authentifizierung des gewahlten Ver- 
trauensgebietidentifizierers (252) fur die Proto- 
kolldateneinheit (250) enthalt; 
der Sendeschritt (222) das Senden des authen- 
- tifizierten Quellenidentifizierers und des au- 
thentifizierten gewahlten Vertrauensgebieti- 
dentifizierers als Teil jeder gesendeten Proto- 
kolldateneinheit (250) enthalt; und 
der validierungsschritt (236) die validierung 
samtlicher authentifizierter Komponenten einer 
empfangenen Protokolldateneinheit (250) vor 
der Annahme der Nachricht in der Protokollda- 
teneinheit (250) ais authentisch enthalt. 

10. Verfahren zum Erzwingen von Sicherheitsprotokol- 
len beim Senden von Nachrichten zwischen Com- 
putern nach irgendeinem der Anspruche 6, 7, 8 
Oder 9, 

wobei der Authentifizierungsschritt (218) die 
Authentifizierung eines Quellenidentifizierers, 
der den die gesendete Protokolldateneinheit 

(250) sendenden Computer identiziert, sowie 
die Authentifizierung des gewahlten Vertrau- 
ensgebietidentifizierers (252) fur die Protokoll- 
dateneinheit (250) enthalt; 

wobei das Verfahren femer den Schritt des Ver- 
siegelns (220) der Nachricht und ihres Etiketts 

(251) enthalt: 

der Sendeschritt (222) das Senden der versie- 
gelten Nachricht und des versiegetten Etiketts 
(251), des authentifizierten Quellenidentifizie- 
rers und des authentifizierten gewahlten Ver- 
trauensgebietidentffizierers als Teil jeder ge- 
sendeten Protokolldateneinheit (250) enthalt; 
und 

der validierungsschritt (236) die validierung 
samtlicher authentifizierter Komponenten einer 
empfangenen Protokolldateneinheit (250) vor 
der Annahme der Nachricht in der Protokollda- 
teneinheit (250) als authentisch enthalt. 



Revendicatione 

1 . Appareil de transmission de messages dans un re- 
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seau informatique comportant: 

une multiplicity d'ordinateurs (102 a 108, 150, 
170) interconnectes par un reseau, chaque or- 
dinateur (150) comprenant des appareils s 
demission et de reception de donnyes (155, 
172), ainsi qu'un appareil de security (156 a 
1 62) qui genfcre des unites de donnees de pro- 
tocols (250) a transmettre a d'autres ordina- 
teurs parmi lesdits ordinateurs (1 70) par I'inter- io 
mediaire desdits appareils d'emission et de re- 
ception de donnyes, et qui valide et traite des 
unites de donnees de protocoles recues a partir 
d'autres ordinateurs parmi lesdits ordinateurs 
par I'intermediaire desdits appareils d'emission is 
et de reception de donnees; • 
I'appareil de security (1 56 a 1 62) de chaque or- 
dinateur d'une multiplicity desdits ordinateurs 
(150) comportant: 

une base de calcul a securite multiniveau (160) 20 
qui applique une politique de security prectefi- 
nie dans ledit ordinateur et qui definit un niveau 
de securite pour chaque ensemble de donnees 
emmagasiny dans celui-ci; 
des moyens d'authentification (162, 178) pour 25 
authentifier et valider des messages envoy6s 
a un autre ordinateur par I'intermediaire dudit 
reseau; et 

des moyens de definition de domaines de sy- 
curite (130) pour emmagasiner des informa- 30 
tions designant ceux desdits ordinateurs qui 
sont des membres de domaines de securite 
predefinis; dans lesquels, pour chaque domai- 
ne de securite predefini, il y a un protocole de 
securite predefini correspondent, appliqu6 par 35 
tous les membres dudit chaque domaine de se- 
curite predefini, pour proteger la confidentiality 
de donnees transmises entre lesdits membres 
dudit chaque domaine de securite predefini; 

40 

caracterise en ce que: 

chaque dit message (1 53B) comporte des don- 
nees ayant une etiquette assoctee (251) ddsi- 
gnant ia maniere dont ladite base de calcul a *s 
security multiniveau doit appliquer la politique 
de securite par rapport audit message; 
ledit appareil de securite (1 56 a 1 62) de chaque 
ordinateur de ladite multiplicity desdits ordina- 
teurs comprend, en outre: so 
des moyens de services de domaines de secu- 
rity (156), couples a ladite base de calcul a se- 
curity multiniveau (160), auxdits moyens 
d'authentification (162) et auxdits moyens de 
definition de domaines de securite (130), pour ss 
preparer un message specific (153B) a trans- 
mettre a un autre ordinateur (170) specrfiy, les- 
dits moyens de services de domaines de secu- 



rity etant adaptes pour: 
obtenir (206) des informations de domaines de 
sycurite emmagasines par lesdits moyens de 
definition de domaines de security, verifier 
(208) qu'aussi bien ledit ordinateur (150) que 
ledit ordinateur specific (170) sont des mem- 
bres d'au moins un domaine de security com- 
mun, et syiectionner (212) un domaine de se- 
curity parmi lesdits domaines de security com- 
muns au nombre d'au moins un; 
authentifier (218) ledit message (286) et ladite 
etiquette (251 ) associye audit message; et 
genyrer (218 a 220) une unite de donnees de 
protocoles (250), a transmettre audit autre or- 
dinateur specifie par I'intermediaire de i'appa- 
reil de transmission de messages (155) dudit 
ordinateur, ladite unite de donnees de protoco- 
les comprenant ledit message et ladite etiquet- 
te authentifies, et un identificateur (252) qui 
identifie ledit domaine de security selectionne; 
lesdits moyens de services de domaines de sy- 
curite (156) etant adaptes, en outre, pour: 
valider (236) le message (268) et ('etiquette 
(251 ) se trouvant dans chaque unity de don- 
nees de protocoles (250) recue par ledit ordi- 
nateur, par I'intermediaire desdits appareils 
demission et de reception de messages, a par- 
tir d'autres ordinateurs parmi lesdits ordina- 
teurs; et 

trailer (245) ladite ytiquette et ledit message se 
trouvant dans ladite unite de donnees de pro- 
tocoles recue conformement au protocole de 
sycurite prydyfini correspondant au domaine 
de securite syiectionne identifie par ledit iden- 
tificateur se trouvant dans ladite unite de don- 
nyes de protocoles recue; 
ladite base de calcul a security multiniveau 
(160) d'au moins une multiplicity desdits ordi- 
nateurs comprenant des moyens pour appli- 
quer une multiplicity de protocoles de security 
predyfinis par rapport a des unites de donnyes 
de protocoles (250) recues, chaque protocole 
de sycurite predefini correspondant a Tun des- 
dits domaines de security predyfinis; I'un des 
protocoles de ladite multiplicity de protocoles 
de sycurite predefinis ytant appiiquy par ladite 
- base de calcul a security multiniveau (160) a 
chaque unity de donnyes de protocoles (250) 
recue en fonction du domaine de sycurite sy- 
lectionny identify par (edit identificateur (252) 
se trouvant dans ladite chaque unity de don- 
nees de protocole (250) recue. 

2. Appareil transmission de messages selon la reven- 
d teat ion 1, dans lequel lesdits moyens de sen/ices 
de domaines de security (156) sont adaptes pour 
abandonner (208, 210) la transmission cfun mes- 
sage lorsque, selon lesdites informations emmaga- 
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singes dans iesdits moyens de definition de domai- 
nes de security (130), ledit ordinateur et ledit autre 
ordinateur specrfie ne sont pas des membres d'un 
domaine de securite commun. 

5 

3. Appareil de transmission de messages selon la re- 
vendication 1 ou ia revendication 2, Iesdits moyens 
de services de domaines de securite (174) 6tant 
adaptes pour acheminer ladite etiquette se trouvant 
dans ladite unite de donnees de protocoles (250) io 
recue a ladite base de calcul a securite multiniveau 
(180); ladite base de calcul a securite multiniveau 

( 1 80) etant adaptee pour appliquer une politique de 
securite predefinie par rapport audit message se 
trouvant dans ladite unite de donnees de protocoles 1 s 
(250) recue en fonction de ladite Etiquette. 

4. Appareil de transmission de messages selon la re- 
vendication 1 , tedits moyens de services de domai- 
nes de securite (1 56) comprenant des moyens pour 20 
inclure, avec chaque unite de donnees de protoco- 
les (250) transmise, un identificateur de source 
(262) qui identifie I'ordinateur envoyant ladite unite 

de donn6es de protocoles (250) transmise; 

25 

Iesdits moyens de services de domaines de se- 
curite comprenant des moyens pour authenti- 
fier ledit identificateur de source (262) et ledit 
identificateur de domaine de securite selection- 
ne (252); 30 
ladite unite.de donnees de protocoles (250) 
comprenant ledit identificateur de source 
authentifie et ledit identificateur de domaine de 
securite s6lectionn6 (252) authentifie; et 
Iesdits moyens (156, 174) pour valider des 35 
messages recus par ledit ordinateur compre- 
nant des moyens pour valider chacun des com- 
posants d'une unite* de donnees de protocoles 
(250) recue avant d'accepter comme authenti- 
que ledit message se trouvant dans ladite unite #> 
de donn6es de protocoles (250). 

5. Appareil de transmission de messages selon la re- 
vendication 1 , Iesdits moyens de services de do- 
maines de securite (1 56) etant adapts pour: *s 

inclure, avec chaque unite de donnees de pro- 
tocoles (250) transmise, un identificateur de 
source (262) qui identifie Pordinateur envoyant 
ladite unite de donnees de protocoles (250) so 
transmise; 

authentifier ledit identificateur de source et ledit 
identificateur de domaine de securite seiection- 
n6; et 

cacheter ledit message (268), ainsi que son eti- 55 
quette(251); 

ladite unite de donnees de protocoles (250) 
comprenant ledit identificateur de source 



authentift6, ledit identificateur de domaine de 
securite selectionne (252) authentifie, et ledit 
message (268) et ladite etiquette (251) cache- 
tes; et 

Iesdits moyens de services de domaines de se- 
curite (174) etant adaptes, en outre, pour vali- 
der chacun desdits composants d'une unite de 
protocoles de donnees (250) recue avant d'ac- 
cepter comme authentique ledit message ca- 
chete se trouvant dans ladite unite de donnees 
de protocoles (250). 

6. Proced6 duplication de protocoles de s6curite lors 
de la transmission de messages entre des ordina- 
teurs par I'intermediaire d'un reseau informatique 
auquel sont couples une muttiplicite d'ordinateurs, 
les etapes du precede consistant: 

a emmagasiner des informations (130) d£si- 
gnant des ordinateurs qui sont des membres 
de domaines de securite predefinis; tous les 
membres de chaque domaine de securite pre- 
define appliquant un ensemble commun de pro- 
tocoles de securite pour proteger la confidenti- 
aiite de donnees; 

a authentifier (218) et a valider (236) un mes- 
sage specif ie qu'une application executee dans 
un ordinateur (1 50) tente d'envoyer a une autre 
ordinateur specif i6 (170) par I'intermediaire du- 
dit reseau, chaque dit message comportant des 
donnees ayant une etiquette associee desi- 
gnant la maniere dont une politique de securite 
predefinie doit etre appliqu6e par rapport audit 
message; 

caracterise en ce que lesdites etapes 
d'authentification et de validation comprennent les 
etapes consistant: 

a acceder (206) auxdites informations de do- 
maines de securite emmagasinees, a verifier 
qu'aussi bien ledit systeme informatique que le- 
dit sy st erne informatique specif! e sont des 
membres cfau moins un domaine de securite 
commun, et a s6lectionner un domaine de se- 
curite parmi iesdits domaines de securite com- 
muns au nombre d'au moins un; 
a authentifier (218) ledit message et son eti- 
quette associee; 

a transmettre (222) audit autre ordinateur spe- 
cifie une unite de donnees de protocoles (250) 
comprenant ledit message (268) et ladite eti- 
quette (251 ) authentiftes, ainsi qu'un identifica- 
teur (252) qui identifie (edit domaine de securite 
seiectionn6; 

a recevoir (230) ladite unite de donnees de pro- 
tocoles (250) au niveau dudit autre ordinateur 
specifid; 
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a valider (236) le message et 1'etiquette (251) 
se trouvant dans ladite unite de donnees de 
protocoles (250) recue avant d'accepter com- 
me authentiques ledit message et ladite eti- 
quette (251) se trouvant dans ladite unite de s 
donnees de protocoles (250); 
a trailer ladite etiquette (251) et ledit message 
se trouvant dans ladite unite de donnees de 
protocoles (250) recue conformement au pro- 
tocol de securite predefini correspondant au io 
domaine de securite selectionne identifie par 
ledit identificateur dans ladite unite de donnees 
de protocoles (250) recue; et 
dans au moins une multiplicite desdits ordina- 
teurs, a appliquer une multiplicite de protocoles 15 
de securite predefinis par rapport a des unites 
de donnees de protocoles (250) recues, cha- 
que politique de securite predefinie correspon- 
dant a I'un desdits domaines de securite pre- 
definis; la politique de securite predefinie appli- 20 
quee par rapport a chaque unite de donnees 
de protocoles (250) recue correspondant au 
domaine de securite selectionne identifie par 
ledit identificateur se trouvant dans ladite cha- 
que unite de donnees de protocoles (250) re- 25 
cue. 

Precede d'application de protocoles de securite lors 
de la transmission de messages entre des ordina- 
teurs selon la revendication 6, comprenant I'etape 30 
consistant a abandonner (206, 210) la transmission 
d'un message lorsque, sebn ledites informations 
de domaines de securite emmagasinees, ledit ordi- 
nateur et ledit autre ordinateur specrfie ne sont pas 
des membres d'un domaine de securite commun. 35 

Precede d'application de protocoles de securite lors 
de la transmission de messages entre des ordina- 
teurs selon la revendication 6 or ia revendication 7, 
comprenant I'etape consistant a appliquer une po- 40 
litique de securite predefinie par rapport audit mes- 
sage se trouvant dans ladite unite de donnees de 
protocoles (250) recue en fonctbn de ladite etiquet- 
te (251) se trouvant dans ladite unite de donnees 
de protocoles (250) recue. 45 



ladite etape de transmission (222) comprenant 
ta transmission, en tant que partie de chaque 
unite de donnees de protocoles (250) transmi- 
se, ledjt identificateur de source authentifie et 
ledit identificateur de domaine de securite se- 
lectionne, authentifie; et 
ladite etape de validation (236) comprenant la 
validation de tous les composants authentifies 
d'une unite de donnees de protocoles (250) re- 
cue avant d'accepter comme authentique ledit 
message se trouvant dans ladite unite de don- 
nees de protocoles (250). 

1 0. Precede d'application de protocoles de securite lors 
de la transmission de messages entre des ordina- 
teurs selon Tune quelconque des revendications 6, 
7, 8 ou 9, 

ladite etape d'authentification (218) compre- 
nant I'authentification d'un identificateur de 
source qui identifie i'ordinateur envoyant ladite 
unite de donnees de protocoles (250) transmi- 
se, et I'authentification dudrt identificateur de 
domaine de securite selectionne (252) pour la- 
dite units de donnees de protocoles (250); 
ledit procede comprenant, en outre, I'etape 
consistant a cacheter (220) ledit message et 
son etiquette (251); 

ladite etape de transmission (222) comprenant 
la transmission, en tant que partie de chaque 
unite de donnees de protocoles (250) transmi- 
se, ledit message et ladite etiquette (251 ) ea- 
ch etes, ledit identificateur de source authentifie 
et ledit identificateur de domaine de securite 
selectionne, authentifie; et 
ladite etape de validation (236) comprenant la 
validation de tous les composants authentifies 
d'une unite de donnees de protocoles (250) re- 
cue avant d'accepter comme authentique tedit 
message se trouvant dans ladite unite de don- 
nees de protocoles (250). 



Procede d'application de protocoles de securite tors 
de la transmission de messages entre des ordina- 
teurs selon ta revendication 6, 7 ou 8, 

so 

ladite etape d'authentification (218) compre- 
nant I'authentification d'un identificateur de 
source (262) qui identifie I'ordinateur envoyant 
ladite unite de donnees de protocoles (250) 
transmise, et I'authentification dudit identifica- 55 
teur de domaine de securite selectionne (252) 
pour ladite unite de donnees de protocoles 
(250); 
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